Bug#942024: stretch-pu: package openjpeg2/2.1.2-1.1+deb9u4

To: submit@bugs.debian.org
Subject: Bug#942024: stretch-pu: package openjpeg2/2.1.2-1.1+deb9u4
From: Hugo Lefeuvre <hle@debian.org>
Date: Wed, 9 Oct 2019 09:40:54 +0200
Message-id: <[🔎] 20191009074054.kl43xvprmlpttloz@behemoth.owl.eu.com.local>
Reply-to: Hugo Lefeuvre <hle@debian.org>, 942024@bugs.debian.org

Package: release.debian.org
Severity: normal
Tags: stretch
User: release.debian.org@packages.debian.org
Usertags: pu

Dear release managers,

as discussed in #939553[0], no DSA will be issued by the security team for
CVE-2018-21010 and this vulnerability can be fixed via -pu. The attached
debdiff addresses this issue, along with CVE-2018-20847 and CVE-2018-21010.

Patches for CVE-2018-20847 and CVE-2018-21010 are straight from upstream.
Concerning CVE-2018-21010, I did a few changes to remove non-security
related refactoring and improve readability.

thanks!

cheers,
Hugo

[0] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=939553

-- 
                Hugo Lefeuvre (hle)    |    www.owl.eu.com
RSA4096_ 360B 03B3 BF27 4F4D 7A3F D5E8 14AA 1EB8 A247 3DFD
ed25519_ 37B2 6D38 0B25 B8A2 6B9F 3A65 A36F 5357 5F2D DC4C

diff -Nru openjpeg2-2.1.2/debian/changelog openjpeg2-2.1.2/debian/changelog
--- openjpeg2-2.1.2/debian/changelog	2019-03-07 22:41:30.000000000 +0100
+++ openjpeg2-2.1.2/debian/changelog	2019-10-08 15:20:27.000000000 +0200
@@ -1,3 +1,16 @@
+openjpeg2 (2.1.2-1.1+deb9u4) stretch; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2018-21010: heap buffer overflow in color_apply_icc_profile
+    (Closes: #939553).
+  * CVE-2018-20847: improper computation of values in the function
+    opj_get_encoding_parameters, leading to an integer overflow
+    (Closes: #931294).
+  * CVE-2016-9112: floating point exception or divide by zero in the
+    function opj_pi_next_cprl (Closes: #844551).
+
+ -- Hugo Lefeuvre <hle@debian.org>  Tue, 08 Oct 2019 15:20:27 +0200
+
 openjpeg2 (2.1.2-1.1+deb9u3) stretch-security; urgency=medium
 
   * Non-maintainer upload by the Security Team.
diff -Nru openjpeg2-2.1.2/debian/patches/CVE-2016-9112.patch openjpeg2-2.1.2/debian/patches/CVE-2016-9112.patch
--- openjpeg2-2.1.2/debian/patches/CVE-2016-9112.patch	1970-01-01 01:00:00.000000000 +0100
+++ openjpeg2-2.1.2/debian/patches/CVE-2016-9112.patch	2019-10-08 15:20:27.000000000 +0200
@@ -0,0 +1,59 @@
+Subject: fix division by zero and undefined behavior on shift in pi.c
+Author: Even Rouault <even.rouault@spatialys.com>
+Origin: upstream, https://github.com/uclouvain/openjpeg/commit/d27ccf01c68a31ad
+--- a/src/lib/openjp2/pi.c	2019-10-08 15:46:03.364003550 +0200
++++ b/src/lib/openjp2/pi.c	2019-10-09 08:59:02.183880328 +0200
+@@ -360,6 +360,17 @@
+ 					try1 = opj_int_ceildiv(pi->ty1, (OPJ_INT32)(comp->dy << levelno));
+ 					rpx = res->pdx + levelno;
+ 					rpy = res->pdy + levelno;
++
++					/* To avoid divisions by zero / undefined behaviour on shift */
++					/* in below tests */
++					/* Fixes reading id:000026,sig:08,src:002419,op:int32,pos:60,val:+32 */
++					/* of https://github.com/uclouvain/openjpeg/issues/938 */
++					if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
++					        rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy) {
++					    continue;
++					}
++
++					/* See ISO-15441. B.12.1.3 Resolution level-position-component-layer progression */
+ 					if (!((pi->y % (OPJ_INT32)(comp->dy << rpy) == 0) || ((pi->y == pi->ty0) && ((try0 << levelno) % (1 << rpy))))){
+ 						continue;	
+ 					}
+@@ -441,6 +452,17 @@
+ 					try1 = opj_int_ceildiv(pi->ty1, (OPJ_INT32)(comp->dy << levelno));
+ 					rpx = res->pdx + levelno;
+ 					rpy = res->pdy + levelno;
++
++					/* To avoid divisions by zero / undefined behaviour on shift */
++					/* in below tests */
++					/* Relates to id:000019,sig:08,src:001098,op:flip1,pos:49 */
++					/* of https://github.com/uclouvain/openjpeg/issues/938 */
++					if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
++					        rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy) {
++					    continue;
++					}
++
++					/* See ISO-15441. B.12.1.4 Position-component-resolution level-layer progression */
+ 					if (!((pi->y % (OPJ_INT32)(comp->dy << rpy) == 0) || ((pi->y == pi->ty0) && ((try0 << levelno) % (1 << rpy))))){
+ 						continue;	
+ 					}
+@@ -520,6 +542,17 @@
+ 					try1 = opj_int_ceildiv(pi->ty1, (OPJ_INT32)(comp->dy << levelno));
+ 					rpx = res->pdx + levelno;
+ 					rpy = res->pdy + levelno;
++
++					/* To avoid divisions by zero / undefined behaviour on shift */
++					/* in below tests */
++					/* Fixes reading id:000019,sig:08,src:001098,op:flip1,pos:49 */
++					/* of https://github.com/uclouvain/openjpeg/issues/938 */
++					if (rpx >= 31 || ((comp->dx << rpx) >> rpx) != comp->dx ||
++					        rpy >= 31 || ((comp->dy << rpy) >> rpy) != comp->dy) {
++					    continue;
++					}
++
++					/* See ISO-15441. B.12.1.5 Component-position-resolution level-layer progression */
+ 					if (!((pi->y % (OPJ_INT32)(comp->dy << rpy) == 0) || ((pi->y == pi->ty0) && ((try0 << levelno) % (1 << rpy))))){
+ 						continue;	
+ 					}
diff -Nru openjpeg2-2.1.2/debian/patches/CVE-2018-20847.patch openjpeg2-2.1.2/debian/patches/CVE-2018-20847.patch
--- openjpeg2-2.1.2/debian/patches/CVE-2018-20847.patch	1970-01-01 01:00:00.000000000 +0100
+++ openjpeg2-2.1.2/debian/patches/CVE-2018-20847.patch	2019-10-08 15:20:27.000000000 +0200
@@ -0,0 +1,36 @@
+Description: fix integer overflow in opj_get_encoding_parameters
+ This bug is known at three places in the source code:
+ opj_get_all_encoding_parameters() and opj_tcd_init_tile() in pi.c and tcd.c
+ (both fixed _before_ the release of 2.1.2), and opj_get_encoding_parameters()
+ in pi.c. This patch addresses the issue in opj_get_encoding_parameters().
+Author: Young_X <YangX92@hotmail.com>
+Origin: upstream, https://github.com/uclouvain/openjpeg/commit/c58df149900df862
+--- a/src/lib/openjp2/pi.c	2019-10-08 15:42:07.754437740 +0200
++++ b/src/lib/openjp2/pi.c	2019-10-08 15:46:03.364003550 +0200
+@@ -574,6 +574,9 @@
+ 	/* position in x and y of tile */
+ 	OPJ_UINT32 p, q;
+ 
++	/* non-corrected (in regard to image offset) tile offset */
++	OPJ_UINT32 l_tx0, l_ty0;
++
+ 	/* preconditions */
+ 	assert(p_cp != 00);
+ 	assert(p_image != 00);
+@@ -589,10 +592,12 @@
+ 	q = p_tileno / p_cp->tw;
+ 
+ 	/* find extent of tile */
+-	*p_tx0 = opj_int_max((OPJ_INT32)(p_cp->tx0 + p * p_cp->tdx), (OPJ_INT32)p_image->x0);
+-	*p_tx1 = opj_int_min((OPJ_INT32)(p_cp->tx0 + (p + 1) * p_cp->tdx), (OPJ_INT32)p_image->x1);
+-	*p_ty0 = opj_int_max((OPJ_INT32)(p_cp->ty0 + q * p_cp->tdy), (OPJ_INT32)p_image->y0);
+-	*p_ty1 = opj_int_min((OPJ_INT32)(p_cp->ty0 + (q + 1) * p_cp->tdy), (OPJ_INT32)p_image->y1);
++	l_tx0 = p_cp->tx0 + p * p_cp->tdx; /* can't be greater than p_image->x1 so won't overflow */
++	*p_tx0 = (OPJ_INT32)opj_uint_max(l_tx0, p_image->x0);
++	*p_tx1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_tx0, p_cp->tdx), p_image->x1);
++	l_ty0 = p_cp->ty0 + q * p_cp->tdy; /* can't be greater than p_image->y1 so won't overflow */
++	*p_ty0 = (OPJ_INT32)opj_uint_max(l_ty0, p_image->y0);
++	*p_ty1 = (OPJ_INT32)opj_uint_min(opj_uint_adds(l_ty0, p_cp->tdy), p_image->y1);
+ 
+ 	/* max precision is 0 (can only grow) */
+ 	*p_max_prec = 0;
diff -Nru openjpeg2-2.1.2/debian/patches/CVE-2018-21010.patch openjpeg2-2.1.2/debian/patches/CVE-2018-21010.patch
--- openjpeg2-2.1.2/debian/patches/CVE-2018-21010.patch	1970-01-01 01:00:00.000000000 +0100
+++ openjpeg2-2.1.2/debian/patches/CVE-2018-21010.patch	2019-10-08 15:20:27.000000000 +0200
@@ -0,0 +1,26 @@
+Description: color_apply_icc_profile: avoid potential heap buffer overflow 
+ This patch addresses CVE-2018-21010. It differs slightly from upstream's
+ patch in that we avoid whitespace refactoring and complex nested ifs.
+Author: Even Rouault <even.rouault@spatialys.com>, Hugo Lefeuvre <hle@debian.org>
+Origin: upstream, https://github.com/uclouvain/openjpeg/commit/2e5ab1d9987831c9
+--- a/src/bin/common/color.c	2019-10-08 15:26:20.349834699 +0200
++++ b/src/bin/common/color.c	2019-10-08 15:28:25.492050700 +0200
+@@ -496,6 +496,18 @@
+ 
+ 	if(image->numcomps > 2)/* RGB, RGBA */
+ 	{
++
++		if (!(image->comps[0].w == image->comps[1].w &&
++		      image->comps[0].w == image->comps[2].w) ||
++		    !(image->comps[0].h == image->comps[1].h &&
++		      image->comps[0].h == image->comps[2].h))
++		{
++			fprintf(stderr,
++			"[ERROR] Image components should have the same width and height\n");
++			cmsDeleteTransform(transform);
++			return;
++		}
++
+ 		if( prec <= 8 )
+ 		{
+ 			unsigned char *inbuf, *outbuf, *in, *out;
diff -Nru openjpeg2-2.1.2/debian/patches/series openjpeg2-2.1.2/debian/patches/series
--- openjpeg2-2.1.2/debian/patches/series	2019-03-07 22:40:20.000000000 +0100
+++ openjpeg2-2.1.2/debian/patches/series	2019-10-08 15:20:27.000000000 +0200
@@ -15,3 +15,7 @@
 CVE-2018-6616.patch
 CVE-2018-14423.patch
 CVE-2018-5785.patch
+
+CVE-2018-21010.patch
+CVE-2018-20847.patch
+CVE-2016-9112.patch

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Bug#942024: stretch-pu: package openjpeg2/2.1.2-1.1+deb9u4
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#942024: stretch-pu: package openjpeg2/2.1.2-1.1+deb9u4
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#942024: openjpeg2 2.1.2-1.1+deb9u4 flagged for acceptance
  - From: Adam D Barratt <adam@adam-barratt.org.uk>

Prev by Date: Bug#934630: transition: octave
Next by Date: Bug#934630: transition: octave
Previous by thread: Processed: retitle 894663 to transition: wxwidgets3.0-gtk3
Next by thread: Bug#942024: stretch-pu: package openjpeg2/2.1.2-1.1+deb9u4
Index(es):
- Date
- Thread